Industrial Strength Refinement Checking Jesse Bingham, John Erickson, Gaurav Singh, and Flemming Andersen Intel IAG FMCAD 2009 1
Introduction Standard approach to FV of HW protocols Develop high level model (HLM) in guarded-command- like language (eg Murphi, TLA, Spin etc) Write invariants, e.g. cache coherence Model check as big as you can So the HLM is golden, but what about the implementation (RTL)? Ideal: prove that RTL implements HLM… hard! Our solution: test that RTL implements HLM during dynamic simulation check == test in this talk/paper 2
Key point #1 The ingredients needed for equivalence testing are also needed to prove implementation. ⇒ might as well start with testing 3
What should Implements Mean ? What does it mean for RTL to implement HLM? They have different execution semantics state variables/representations rule atomicity (HLM has more) rule concurrency (RTL has more) Not always clear [Vardi FMCAD09] For our domain, we found a notion we call behavioral refinement appropriate… Similar to notion of Bluespec and also super-scalar processor verification literature 4
Behavioral Refinement … RTL Behavior (i.e. simulation) one RTL clock cycle reset state 5
Behavioral Refinement a rule fires initial state … Murphi Behavior Murphi Behavior (witness) … RTL Behavior RTL Behavior (i.e. simulation) one RTL clock cycle reset state 6
Behavioral Refinement a rule fires initial state … Murphi Behavior Murphi Behavior (witness) Refinement map … RTL Behavior RTL Behavior (i.e. simulation) one RTL clock cycle reset state 7
Behavioral Refinement a rule fires initial state … Murphi Behavior (witness) Refinement map … RTL Behavior RTL Behavior (i.e. simulation) one RTL clock cycle reset state Each RTL clock cycle corresponds to zero or more rules firing 8
How Refinement Checker Works Idea : at each RTL cycle, select what sequence of rules are about to fire … RTL simulation r 9
How Refinement Checker Works Idea : at each RTL cycle, select what sequence of rules are about to fire … Murphi RM ( r ) … RTL simulation r 10
How Refinement Checker Works Idea : at each RTL cycle, select what sequence of rules are about to fire Rule selection … … Next Murphi RM ( r ) … RTL simulation r 11
How Refinement Checker Works Idea : at each RTL cycle, select what sequence of rules are about to fire Rule selection … … Next Murphi RM ( r ) RM ( r ′ ) =? … r ′ RTL simulation r 12
Example: Toy Cache Controller CPU Cache Controller Main Memory 13
Toy Cache in Murphi Cpu2Cache Addr Data State Invalid Dirty 0xC54 0x823E CacheArray … … … Clean 0x6D7 0x01 Cache2Mem 14
Eviction Ruleset i : CacheIndex “Evict" CacheArray[i].State != Invalid ==> if (CacheArray[i].State == Dirty) begin Cache2Mem.opcode := WriteBack; Cache2Mem.Addr = CacheArray[i].Addr; Cache2Mem.Data = CacheArray[i].Data; end; CacheArray[i].State := Invalid; end 15
Receiving a Store Request Ruleset i : CacheIndex “Recv_Store" Cpu2Cache.opcode = Store & ( ( CacheArray[i].State != Invalid & CacheArray[i].Addr = Cpu2Cache.Addr) | ( addr_misses_in_cache(Cpu2Cache.Addr) & CacheArray[i].State = Invalid ) ) ) ==> CacheArray[i].Data := Cpu2Cache.Data; CacheArray[i].State := Dirty; Absorb(Cpu2Cache); end 16
Cache Controller RTL Cpu2Cache Cache State Cache Data Pipe stage 1 & Addr Array Array Hit? Eviction Logic Pipe stage 2 Cpu2Mem 17
Example RTL Behavior Store Evict Store(A0,D0) Cache State Cache Data Pipe stage 1 & Addr Array Array Hit? Store(A0,D0) Dirty,A0 Dirty,A1 D1 D0 Eviction Logic Pipe stage 2 WriteBack(A1,D1) Store(A0,D0) WriteBack(A1,D1) 18
Key point #2 Pipelining causes rules that are atomic in Murphi to be non-atomic in the RTL… This non-atomicity is resolved by the refinement map & history variables 19
Key point #3 Murphi semantics fire one rule at a time, while RTL has true rule concurrency. This is resolved by rule selection , which picks a sequence of Murphi rules to fire @ each RTL clock cycle 20
Example with Refinement Checker Evict RecvStore HLM RTL Store(A0,D0) Cache State Cache Pipe stage 1 & Addr Array Data Array Store(A0,D0) D1 D0 Dirty,A0 Dirty,A1 Pipe stage 2 WriteBack(A1,D1) Store(A0,D0) WriteBack(A1,D1) 21
BTW: Everything’s System Verilog RTL design under verification HW designers Test stimulus HW validators Refinement Map Paper gives disciplined approach to writing SV Rule Selection code for these buggers Us (FV team) High Level Model in consultation with Architects compiled into SV by a tool mu2sv ⇒ any off-the-shelf SV simulator works 22
mu2sv Translates a Murphi model into SV Typedefs, procedures, functions, procedures, invariants State variables get wrapped in a record type called MURPHI_STATE Murphi rule R becomes SV function function MURPHI_STATE R_sv(MURPHI_STATE ms,...); Errors if invoked when R ’s guard is false in ms Rule coverage logging Valuable feedback for test-writers 23
Inspiration • S. Tasiran, Y. Yu, and B. Batson, Linking simulation with formal verification at a higher level . IEEE DToC, 2004. • Used TLA+ & linked TLC model checker to simulation engine • Done as research after the project was complete • Showed that subtle bug would have been caught 24
Application: Hierarchical Cache Protocol Core Core Core Core Core Core cache cache cache cache cache cache Level1 Level1 Protocol Protocol Manager Manager QPI Home Agent Was not deployed due • 3 person months to • to chip cancellation ;-( develop Could allow up to 8 • Caught 8 bugs during • murphi rules to fire per just 1 month of RTL clock deployment! 25
Recommend
More recommend
